Bug#1110769: xterm: segfault in ScrnWriteText on 3-byte binary data

To: 1110769@bugs.debian.org
Subject: Bug#1110769: xterm: segfault in ScrnWriteText on 3-byte binary data
From: Vincent Lefevre <vincent@vinc17.net>
Date: Mon, 11 Aug 2025 02:24:51 +0200
Message-id: <[🔎] 20250811002451.GK2576@qaa.vinc17.org>
Reply-to: Vincent Lefevre <vincent@vinc17.net>, 1110769@bugs.debian.org
In-reply-to: <[🔎] 20250810233732.GJ2576@qaa.vinc17.org> <[🔎] 20250810230926.GA2173244@qaa.vinc17.org>
References: <[🔎] 20250810230926.GA2173244@qaa.vinc17.org>

Control: clone -1 -2
Control: retitle -2 xterm: allowC1Printable (-k8) does the opposite of what it says

On 2025-08-11 01:09:26 +0200, Vincent Lefevre wrote:
> An attacker could make an xterm crash by providing such a sequence
> in a text file. It is generally a bad idea to can untrusted and
> unfiltered data to a terminal, but here, the sequence is so simple
> that it could pass trough. Or it could be a mistake, as I've just
> done (I forgot to remove "-o -" from arguments); this was on several
> hundreds of KB of binary data, and I could reduce the testcase to
> just 3 bytes.

Well, the sequence should have been safe with my xterm settings,
because I had set allowC1Printable to true for this purpose.
The issue is that allowC1Printable does the opposite of what
it says. So data that should have been safe are actually unsafe
with "*allowC1Printable: true"!

Moreover, it seems that bug 839220 has reappeared. Both

  xterm -k8 -hold -e printf "\x1b\xa5@\xc3\xa9\n"
  xterm +k8 -hold -e printf "\x1b\xa5@\xc3\xa9\n"

show "Ã©" instead of "é", and UTF-8 encoding is disabled.

On 2025-08-11 01:37:32 +0200, Vincent Lefevre wrote:
> On 2025-08-11 01:09:26 +0200, Vincent Lefevre wrote:
> > I've just noticed that it is very easy to make xterm crash with
> > some binary data:
> > 
> >   /usr/bin/xterm -e 'printf "\x9a\x85\x08"; sleep 2'
> 
> Something important: this depends on the xterm settings.
> One needs the following in the XTerm resources:
> 
> *allowC1Printable:  true
> *VT100.reverseWrap: true

Here, the setting should be that C1 control characters are
regarded as control characters. The "*allowC1Printable: true"
is due to the bug mentioned above. One would have expected
"*allowC1Printable: false" to reproduce the bug.

[...]
> So, to restrict to ASCII:
> 
>   /usr/bin/xterm -e 'printf "\eZ\n\x08"; sleep 2'
> 
> which still makes xterm segfault. And with this one, one just needs
> 
> *VT100.reverseWrap: true

This one is not affected by the allowC1Printable bug.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Bug#1110771: xterm: allowC1Printable (-k8) does the opposite of what it says
  - From: Vincent Lefevre <vincent@vinc17.net>

References:
- Bug#1110769: xterm: segfault in ScrnWriteText on 3-byte binary data
  - From: Vincent Lefevre <vincent@vinc17.net>

Prev by Date: Processed: Re: xterm: segfault in ScrnWriteText on 3-byte binary data
Next by Date: Bug#1110769: xterm: segfault in ScrnWriteText on 3-byte binary data
Previous by thread: Processed: Re: xterm: segfault in ScrnWriteText on 3-byte binary data
Next by thread: Bug#1110771: xterm: allowC1Printable (-k8) does the opposite of what it says
Index(es):
- Date
- Thread